b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nInspection Report\nUnclassified Foreign National Visits\nand Assignments at Oak Ridge National\nLaboratory\n\n\n\n\nINS-O-13-05                     September 2013\n\x0c                                           Department of Energy\n                                              Washington, DC 20585\n\n                                                 September 16, 2013\n\nMEMORANDUM FOR THE MANAGER, OAK RIDGE NATIONAL LABORATORY\n               SITE OFFICE\n\n\n\nFROM:                            Sandra D. Bruce\n                                 Assistant Inspector General\n                                   for Inspections\n                                 Office of Inspector General\n\nSUBJECT:                         INFORMATION: Inspection Report on "Unclassified Foreign\n                                 National Visits and Assignments at Oak Ridge National Laboratory"\nBACKGROUND\nIn support of its research and development mission, the Department of Energy\'s national\nlaboratories host thousands of foreign national visitors and assignees (foreign nationals) every\nyear for research collaborations and access to scientific user facilities. During calendar year\n2012, the Oak Ridge National Laboratory (Oak Ridge), which is managed by UT-Battelle, LLC,\nhosted approximately 6,400 foreign nationals. Such visits and assignments can be beneficial to\nthe Department but may also create certain security risks.\nIn October 2010, Department Order 142.3A, Unclassified Foreign Visits and Assignments\nProgram, was revised to streamline requirements and re-evaluate processes to expedite foreign\nnationals\' access to the Department\'s national laboratories. Oak Ridge implemented Department\nOrder 142.3A through its Site Security Plan, which describes the assets that require protection,\nand the programs, organizations and procedures that provide protection for these assets. The\nDepartment Order and Site Security Plan require the Laboratory to assign a host to each foreign\nnational.1 To address site specific security concerns, host responsibilities are prescribed in a\nHost Agreement and individual security plan, which is created for each visiting foreign national.2\nThese agreements provide the detailed responsibilities a host must accept prior to Oak Ridge\ngranting site access to a foreign national.\nBecause of the sensitivity of the Foreign National Visits and Assignments Program, and recently\nupdated Department policy, we initiated this inspection to determine if Oak Ridge had effective\nprocedures to mitigate risks regarding foreign nationals\' unauthorized access to sensitive\ninformation and national security assets, including technologies and equipment.\n\nRESULTS OF INSPECTION\n\nOur inspection revealed that improvements are needed in the implementation of the Department\'s\nForeign National Visits and Assignments Program at Oak Ridge. We determined that contrary\n\n1\n    Hosts are individuals who are assigned the day-to-day management and security of the foreign nationals.\n2\n    Individual security plans detail specific requirements to be met by the host for monitoring each type of foreign\n    national.\n\x0cto Host Agreements and individual security plans, hosts did not always maintain accountability\nof foreign nationals as required. In addition, we found that Oak Ridge Office of\nCounterintelligence (Counterintelligence) officials did not ensure that required\nCounterintelligence consultations had been documented and completed in the Department\'s\nForeign Access Central Tracking System (FACTS) for foreign nationals prior to their visits.3\n\nHost Accountability\n\nWe noted that hosts had not always maintained accountability of foreign nationals as specifically\nrequired by Host Agreements and individual security plans. For example, contrary to\nrequirements of Host Agreements or individual security plans, hosts:\n\n         Did not maintain contact with foreign nationals during their entire length of stay to ensure\n         the hosts could convey details about each foreign nationals\' work scope and technical\n         competency to Counterintelligence;\n\n         Used escorts instead of delegating alternate hosts; and\n\n         Did not conduct walk-downs of each foreign national\'s work area to ensure that there was\n         no export controlled equipment or technology in the area.4\n\nTherefore, there was no assurance that hosts appropriately monitored foreign nationals\' activities\nas required.\n\nOur review of Host Agreements and individual security plans revealed that assigned hosts are\nresponsible for foreign nationals throughout their entire stay, including any subsequent visits or\nassignments at other user facilities. Foreign nationals are usually assigned hosts located at the\nsame user facility in which they initially perform work. This allows the hosts to monitor the\nforeign national\'s visits while continuing to perform other assigned duties. However, we noted\nthat foreign nationals may also perform work away from the hosts\' user facility.\n\n                                Maintaining Contact with Foreign Nationals\n\nWe determined that 7 of the 16 hosts we interviewed did not maintain contact with foreign\nnationals during their entire stay as required by Host Agreements and individual security plans.\nDuring interviews, we were provided examples in which foreign nationals returned to work at\ndifferent Oak Ridge user facilities than their hosts\'. Furthermore, according to hosts, advanced\nnotification of return visits by the foreign nationals was not always provided. Occasionally, the\nhosts were not made aware of the return visits until after the foreign nationals had arrived on site.\nIn one instance, a foreign national arrived and departed while the host was absent from Oak\nRidge. Because the host was not notified in a timely manner, procedures requiring the\ndelegation of an alternate were not followed. The host said that in instances like this, the foreign\n\n3\n  Counterintelligence consultations are a process by which the approval authority from the local hosting site can\n  request that Counterintelligence field offices evaluate foreign national access in lieu of a required indices check.\n  Typically, Counterintelligence Consultations are conducted when indices checks may not be completed prior to the\n  arrival of a foreign visitor.\n4\n  Department Order 142.3A states that escorts are responsible for ensuring that foreign nationals working or\n  traveling within a site are escorted when required.\n\n                                                          2\n\x0cnational should have been directed to the user office and assigned another host. Our review of\nthe Personnel Access System, the Oak Ridge system used to request access to Oak Ridge\nfacilities, found that this foreign national had not been assigned to a different host.\n\nTwo additional instances were identified, both occurring in June 2012, in which the assigned\nhost did not monitor foreign nationals because they returned to another Oak Ridge user facility to\nwork. In these instances, the host claimed to be knowledgeable of the other user facilities the\nforeign nationals were working at and believed they would be properly observed. However, the\nhost did not validate that another host was assigned and appropriate monitoring of the foreign\nnationals was conducted. Our review of the Oak Ridge Personnel Access System revealed that a\nnew host had not, in fact, been assigned to these foreign nationals. The interviewed hosts\nexpressed concerns that they were unable to fulfill their host requirements because contact could\nnot be maintained with the foreign national.\n\n                                          Use of Escorts\n\nWe further determined that contrary to requirements, two programs utilized escorts instead of\nappointing alternate hosts. For instance, we identified two hosts who had 185 separate foreign\nnationals assigned to them in fiscal year 2011. In one example, a host was assigned 46 foreign\nnationals during a single visit. During these assigned periods, the hosts did not monitor the\nforeign nationals\' activities, but used escorts to assist with tours and training. In addition, Oak\nRidge officials told us that escorts performed the same duties as the host. Our review of the Site\nSecurity Plan found that the escort requirements were not addressed. Further, our review of\nindividual security plans stated that escorts of foreign nationals were not permitted at Oak Ridge.\nWe also noted that Oak Ridge escorts were not required to agree to or sign the Host Agreement\nand individual security plan executed by the host.\n\n                                Completion of Hosts Walk-Downs\n\nHosts from two of the largest user facilities at Oak Ridge reported that they were unable to\ncomplete their host responsibilities. Specifically, hosts were unable to conduct walk-downs of\nthe approved buildings and inform building occupants that foreign nationals were present. Hosts\ninformed us that foreign nationals had been provided access to approximately 20 buildings, some\nwith 24-hour access, for over 2 years. This access had been provided so foreign nationals could\nattend meetings, conferences and have access to a re-tooling laboratory on an as-needed basis.\nAlthough Department Order 142.3A does not specifically require that hosts accompany foreign\nnationals at all times, hosts indicated that because of the unlimited and open access granted to the\nforeign nationals they were unable to ensure that the requirements dictated in the Host\nAgreement and individual security plan were met.\n\nContributing Factors and Impact\n\nAlthough we did not identify any instances in which export information or other scientific\ninformation was inappropriately obtained by a foreign national, the risk that these events could\noccur is higher than acceptable because of the weaknesses in Oak Ridge\'s program. The issues\nwe identified with host accountability occurred for a number of reasons:\n\n       Foreign national hosts were not changed, regardless of the facility where work was\n       conducted. Management did not change the hosts because it required a modification of\n\n                                                 3\n\x0c         the Oak Ridge Personnel Access System, which they believed would entail a review\n         process of at least 7 days. However, in discussion with pertinent Department officials,\n         we were told that a host change would not initiate another review process.\n\n         Escort requirements for foreign nationals were not addressed in the Site Security Plan and\n         escorts were not required to agree to or sign the Host Agreement and individual security\n         plans.\n\n         Foreign nationals were provided unaccompanied access to numerous buildings and as\n         such, hosts were unable to ensure that the requirements in the Host Agreement and\n         individual security plan were met.\n\nWe found that the Oak Ridge Host Audit Program, which provided management oversight of the\nForeign National Visits and Assignments program, had also not been effectively implemented.\nFor example, we received documentation that indicated that the program may not be completely\neffective because only 8 of 1,400 trained hosts had been audited under this program since 2011.\nIn addition, hosts are expected to continue conducting day-to-day duties while assigned multiple\nforeign nationals, activities that may require the hosts to be away from their workstations. Hosts\nreported that they were uncomfortable hosting foreign nationals they were unable to monitor;\nhowever, they were told by Oak Ridge managers that performing host functions were required as\npart of their position.\n\nCollectively, these issues have the potential to increase Oak Ridge\'s security risk that sensitive\ninformation and national security assets could potentially be lost or compromised.\n\nRECOMMENDATIONS AND PATH FORWARD\n\nBased on the observations described in the report, we believe Oak Ridge can take a number of\nsteps to improve the implementation of the Department\'s Foreign National Visits and\nAssignments Program. As such, we recommend that the Manager, Oak Ridge National\nLaboratory Site Office:\n\n    1.    Direct UT-Battelle, LLC to initiate the required steps to ensure that the Personnel\n          Access System can support re-assigning hosts in a timely manner to ensure that all\n          foreign nationals are monitored as required by Host Agreements and individual security\n          plans;\n\n    2.    Direct UT-Battelle, LLC to ensure that hosts designate appropriate alternate hosts so a\n          qualified host is always present to fulfill hosting requirements;\n\n    3.    Ensure that UT-Battelle, LLC defines the role of escorts;\n\n    4.    Direct UT-Battelle, LLC to re-evaluate whether all foreign nationals to the user\n          facilities should be provided access to multiple buildings on the Oak Ridge campus,\n          and if so, to ensure that the host responsibilities can be adequately met when doing so;\n          and\n\n\n\n\n                                                 4\n\x0c      5.   Ensure that UT-Battelle, LLC establishes and implements a robust Host Audit Program\n           so host responsibilities are appropriately reviewed as part of the foreign national\n           process.\n\n                        Other Matters: Counterintelligence Consultations\n\nWe determined that Oak Ridge Counterintelligence was not documenting the use of\nCounterintelligence Consultations in FACTS as required by Department Order 142.3A.\nConsultations allow Counterintelligence field offices to conduct evaluations for foreign national\naccess in those instances where indices checks, conducted by the Intelligence Community and\ncoordinated by Headquarters Counterintelligence personnel, would not be completed by the start\ndate of the visit or assignment. We were told by a senior Oak Ridge Counterintelligence official\nthat they had not entered this information into FACTS based on a waiver that was received in an\nemail from Headquarters Counterintelligence in 2005. However, based on our discussion with a\nHeadquarters official from the Office of Health, Safety and Security, the 2005 email may have\nbeen misinterpreted and Counterintelligence Consultations should have been entered into\nFACTS. Subsequently, we discussed this matter with the Oak Ridge Counterintelligence staff\nand they implemented procedures to correct this issue. We confirmed that the issue had been\naddressed by accessing FACTS and viewing the information.\n\nMANAGEMENT COMMENTS AND INSPECTOR RESPONSE\n\nThe Oak Ridge Site Office concurred with the report recommendations and identified actions it\nhad planned or had already taken to address our recommendations. In response to the report\nrecommendations a "Mass Host Change" tool is now available in the Personnel Access System,\nwhich allows for new host(s) to be assigned quickly and requires the new host to accept the Host\nAgreement/Acknowledgement and associated security plan. UT-Battelle will also process,\nidentify and implement a method of ensuring qualified hosts or qualified escorts are available to\nfulfill hosting requirements; define specific roles and responsibilities of escorts through\nprocedural requirements; review foreign national access to user facilities and ensure building\naccess is assigned based on the identified need and that host responsibilities to the assigned\nfacilities can be met; and they will identify a process and implement a Host Audit Program to\nensure host responsibilities are appropriately reviewed and documented through reports and\nperformance metrics.\n\nWe consider management\'s comments responsive to the report\'s recommendations.\n\nAttachment\n\ncc:   Deputy Secretary\n      Under Secretary for Science\n      Chief of Staff\n      Chief Health, Safety and Security Officer\n      Manager, Oak Ridge Office\n\n\n\n\n                                                  5\n\x0c                                                                                    Attachment 1\n\n                      OBJECTIVE, SCOPE AND METHODOLOGY\n\nOBJECTIVE\n\nBecause of the sensitivity of the Foreign National Visits and Assignments Program, and the\nissuance of the updated Department of Energy (Department) Order 142.3A, Unclassified Foreign\nVisits and Assignments Program, we initiated this inspection to determine if Oak Ridge National\nLaboratory (Oak Ridge) had effective procedures to mitigate risks regarding foreign nationals\'\nunauthorized access to information, technologies or equipment.\n\nSCOPE\n\nWe completed the fieldwork for this performance inspection from January 2012 to September\n2013, at Oak Ridge National Laboratory in Oak Ridge, Tennessee.\n\nMETHODOLOGY\n\nTo accomplish the inspection objective, we:\n\n       Reviewed applicable regulations, directives and policies related to unclassified foreign\n       national visits and assignments;\n\n       Reviewed and analyzed information contained in the Department\'s Foreign Access\n       Central Tracking System and the UT-Battelle Personnel Access System required for\n       documenting foreign national visits and assignments; and\n\n       Interviewed appropriate officials from Headquarters, Oak Ridge and UT-Battelle, LLC.\n\nWe conducted this performance-based inspection in accordance with the Council of the\nInspectors General on Integrity and Efficiency\'s Quality Standards for Inspection and\nEvaluation. Those standards require that we plan and perform the inspection to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our conclusions and observations based on\nour inspection objective. We believe the evidence obtained provided a reasonable basis for our\nconclusions and observations based on our inspection objective. Accordingly, the inspection\nincluded tests of controls and compliance with laws and regulations to the extent necessary to\nsatisfy the inspection objective. Because our review was limited, it would not necessarily have\ndisclosed all internal control deficiencies that may have existed at the time of our inspection.\nAlso, we assessed the Department\'s compliance with the Government Performance and\nResults Modernization Act of 2010 and determined that the Department had established\nperformance measures, in general, relating to the operation and security of foreign national\nvisitors and assignments. Finally, we relied on computer-processed data, to some extent, to\nsatisfy our objective. We confirmed the validity of such data, when appropriate, by reviewing\nsource documents.\n\nManagement waived the exit conference.\n\n\n\n                                                6\n\x0c                                                                            Attachment 2\n                             PRIOR REPORT\n\n\nSpecial Report on The Department\'s Unclassified Foreign Visits and Assignments\nProgram (DOE/IG-0791, March 2008). The objective of this review, due to the\nsensitivity of the program and the potential for harm, was to determine whether the\nDepartment of Energy (Department) had improved the management of its Foreign\nVisits and Assignments Program. The report determined that the Department had\naddressed several previously reported issues. However, additional and continuing\nweaknesses diminished the effectiveness of controls designed to reduce the security risk\nassociated with foreign visits and assignments. In particular, hosts for foreign nationals\n\xe2\x80\x93 individuals responsible for the day-to-day management and security associated with\nvisits or assignments \xe2\x80\x93 had not ensured that a number of protective measures were\nimplemented. These problems or programmatic shortcomings caused us to conclude\nthat security risks associated with the Department\'s Foreign Visits and Assignments\nProgram remain higher than necessary. Contractor operated laboratories had not\nensured that hosts were cognizant of their responsibilities and were performing them\nproperly. Those laboratories and the Office of Foreign Visits and Assignments also had\nnot taken sufficient steps to ensure that data in the Foreign Access Central Tracking\nSystem was reliable. Problems with recordkeeping and tracking could limit the\nDepartment\'s ability to provide accurate and/or complete foreign national information\nto law enforcement agencies.\n\n\n\n\n                                       7\n\x0c                      Attachment 3\n\nMANAGEMENT COMMENTS\n\n\n\n\n         8\n\x0c    Attachment 3 (continued)\n\n\n\n\n9\n\x0c                                                                    IG Report No. INS-O-13-05\n\n\n\n                               CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n     1. What additional background information about the selection, scheduling, scope, or\n        procedures of the audit or inspection would have been helpful to the reader in\n        understanding this report?\n\n     2. What additional information related to findings and recommendations could have been\n        included in the report to assist management in implementing corrective actions?\n\n     3. What format, stylistic, or organizational changes might have made this report\'s overall\n        message clearer to the reader?\n\n     4. What additional actions could the Office of Inspector General have taken on the issues\n        discussed in this report that would have been helpful?\n\n     5. Please include your name and telephone number so that we may contact you should we\n        have any questions about your comments.\n\nName __________________________________ Date ________________________\n\nTelephone ______________________________ Organization __________________\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                    http://energy.gov/ig\n\n  Your comments would be appreciated and can be provided on the Customer Response Form\n                                 attached to the report.\n\x0c'